Link to home
Create AccountLog in
Avatar of MECIT
MECITFlag for United States of America

asked on

Create a BOVPN between Watchguard X550e and XTM21

I am attempting to create a BOVPN between two watchguard devices.A X550e and XTM21.
I have followed the instructions off the WG website. I am still having issues connecting.

I can see the gateway but no tunnel.

I currently have an existing BOVPN to a vendor network and it works.

Does it matter that I used the same external IP to create the second tunnel?
I am using our secondary IPs assigned from our ISP to use on the XTM 21 for external, would that be an issue?

Any suggestions?
Avatar of setasoujiro
setasoujiro
Flag of Belgium image

hi ,

I'm not sure what you mean, but you cannot use a secondary ip for a BOVPN.
You cn use 1 IP several times for other tunnels.
Also you can enable logging for ispsec so you can see what's going on:
in policy manager, setup-->logging-->diagnostic logging-->IKE and set it to debug.

then save the config. Now  open system manager-->under traffic monitor-->choose the debug icon(little beetle).
Then see if there are any logs
Avatar of MECIT

ASKER

I have the logs running but tte only thing that shows up is the working BOVPN.
The is nothing with the one i just created.
I dont even see it failing.

Do any other policies affectthe BOVPN?
Is there something else I should do?
Avatar of dpk_wal
Have a look at link below:
http://customers.watchguard.com/articles/Article/3002?retURL=%2Fapex%2FknowledgeHome&popup=false

Please check and update.

Thank you.
as i said, you canno use a secondary ip, you need the primary.
modify and test again please
Avatar of MECIT

ASKER

I went back and recreated the BOVPN.
I used the default settings and recreated a new shared key and I noticed that I had the incorrect IP on one of the remote gateway on Site A.

Once I meade these changes , The tunnel was created.

However I can not ping anything on either side . From site B, I can not access servers from site A.
SOLUTION
Avatar of dpk_wal
dpk_wal
Flag of India image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of MECIT

ASKER

on both watchguards I have the foloowing policies

Site A
BOVPN-Allow.IN        Any   From:  Any                      To: Tunnel to Site B    Any
BOVPN-Allow.Out     Any   From: Tunnel to Site B     To:Any                        Any


Site B
BOVPN-Allow.IN        Any   From:  Any                      To: Tunnel to Site A     Any
BOVPN-Allow.Out     Any   From: Tunnel to Site A     To:Any                        Any

They were created automatically.
Policies look good.
What is the IP subnet on both sides of the VPN tunnel; also on the machines at either end; WG internal IP must be default gateway. Finally, ensure that there is no personal firewall/antivirus blocking the traffic.
Avatar of MECIT

ASKER

Tunnel Routes

Site A  :   172.16.100.0/24 <==> 172.16.5.0/24
Site B  :    172.16.5.0/24 <==> 172.16.100.0/24

Gateways are correct on computers.
Is the tunnel really UP; can you post sanitized screenshots and/or logs.
Avatar of MECIT

ASKER

Here is screenshot from Site A:
 User generated image
Site B is the opposite
Sent 0; received 0; interesting...looks like no packet is getting routed over the tunnel.

Can you post sanitized screenshot of VPN config from both the boxes; gateway, tunnel, routing policy, firewall policy from both the boxes.
Avatar of MECIT

ASKER

Site A
 User generated image User generated image User generated image User generated image
Site B is the opposite
Avatar of MECIT

ASKER

Here is some logs from Site B

2011-11-04 14:04:48 iked Use IKE Policy[Hondo]        Debug
2011-11-04 14:04:48 iked Ignore a re-transmitted message from 70.x.x.x:500 to 12.x.x.x cookies i=2be71757 31caf3e9 r=76ccd960 658c0994 since Phase 1 has ended        Debug
2011-11-04 14:04:48 iked ike_process_pkt : ProcessData returned error (-1)         Debug
2011-11-04 14:04:51 iked IkeLifeTimeout : remove the p1sa struct 183b78 (peer 70.x.x.x) in DELETING state        Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: try to delete Isakmp SA 0x183b78        Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: (DELETING) Isakmp SA 183b78 peer 70.x.x.x        Debug
2011-11-04 14:04:51 iked Use IKE Policy[Hondo]        Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: pcyName Hondo numP1SAActive 1        Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: found it, remove IkeSA 183b78 from IkePolicy        Debug
2011-11-04 14:04:51 iked IkeDeleteIsakmpSA: from pcy list, P1SANum created 11, active 1        Debug
2011-11-04 14:04:51 iked IkeDropIkeSAByAddr: delete IkeSA from peerTable idx 115 peer1 0x0ccd18e4 peer2 0x46fcebc6        Debug
2011-11-04 14:04:51 iked (Delete P1SA) rasUserCapacity 1 count 0          Debug
2011-11-04 14:04:51 iked (Delete P1SA) maxPendingP2SARequest 128 current 0         Debug
2011-11-04 14:04:51 iked ******** RECV an IKE packet at 12.x.x.x:500(socket=11 ifIndex=2) from Peer 70.x.x.x:500 ********        Debug
2011-11-04 14:04:51 iked IkeFindIsakmpPolicy: -->        Debug
2011-11-04 14:04:51 iked ike_match_if_name: Match pcy [IPAD_mu] dev=anyE, pkt if[2]=eth0        Debug
2011-11-04 14:04:51 iked ike_match_if_name: Match pcy [Hondo] dev=eth0, pkt if[2]=eth0        Debug
2011-11-04 14:04:51 iked Found IKE Policy [Hondo, dev=eth0] for peer IP=70.x.x.x, numXform=1, pkt ifIndex=2        Debug
2011-11-04 14:04:51 iked IKE Policy details: 1th xform: grp=2 auth=1 encrypt=5 hash=2 lifeTime=28800 lifeKB=0        Debug
2011-11-04 14:04:51 iked IkeFindIsakmpPolicy: <--        Debug
2011-11-04 14:04:51 iked Use IKE Policy[Hondo]        Debug
2011-11-04 14:04:51 iked Ignore a re-transmitted message from 70.x.x.x:500 to 12.x.x.x cookies i=2be71757 31caf3e9 r=76ccd960 658c0994 since Phase 1 has ended        Debug
2011-11-04 14:04:51 iked ike_process_pkt : ProcessData returned error (-1)         Debug
All settings look good.

Doesn't look like that the VPN tunnel is UP; I see retransmists ignored and phase I cookies deleted.

Can you remove all VPN settings from the box. Save to flash [box reboots]; then add VPN settings again and again save and flash and check results [one by one on each box].

Thank you.
Avatar of MECIT

ASKER

Tried it but same issue.

Active tunnel but no send/recieve data.
Can you try and run a traceroute to one of the sites and see if you get to the firewall or the remote firewall?

also check if there aren't any persistent routes for some reason in one of the boxes.

Avatar of MECIT

ASKER

Site A has a persistent route to 172.16.5.0
I will test the traceroute and let you know.
Avatar of MECIT

ASKER

We have two sets of IP blocks that were assisgned to use for our internet.
For testing Iam using both set in case.
Site A 70.x.x.x
Site B 12.x.x.x

Would this cause an issue?
Once in production the XTM will have a diffent ip.

When I did the tracerout, 1st hop was the internal ip of firewalls and 2nd hop was gateway off the 70.x.x.x   then it times outs.  This was on both devices
Avatar of MECIT

ASKER

my mistake Site A doses not have a persistant route to that subnet.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
lol :)
glad u solved it )
Avatar of MECIT

ASKER

Thanks everyone for trying to help me resolve this.